sakula | 20092dbc1daf981353fb869d8be7f2070953052f75808a949e34fbe9a156be7c

General

Target

9df73150049582985ec8abd22e42ce91_JC.exe
Size

42KB
MD5

9df73150049582985ec8abd22e42ce91
SHA1

5cf2b9bc98ac8eabf068c0ff08a74e7f0ace5682
SHA256

20092dbc1daf981353fb869d8be7f2070953052f75808a949e34fbe9a156be7c
SHA512

c5df3ccd06f8f47f83ac4308c9a7920eaf5ed210eac92da5c39392da11cd6da26680edfb4709dc73433d1734da04deb811faa4ef2bf135d5844e84d4f4dc7f59
SSDEEP

768:fvQB/z0pqrLoyT8I+E1j+KPPIYu8T0aTsJK56VO8XM0Wns+b2znpNqPM:fODhc+yBJW0WTU5XM1nJqjp00

Score

10^/10

sakula persistence rat trojan upx

Malware Config

Extracted

Family

sakula

C2

www.polarroute.com

Signatures

Sakula
Sakula is a remote access trojan with various capabilities.
trojan rat sakula

Sakula payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2172-7-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral1/memory/2424-10-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral1/memory/2172-15-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula
behavioral1/memory/2424-25-0x0000000000400000-0x0000000000424000-memory.dmp	family_sakula

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2612 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

MediaCenter.exe

pid process

2424 MediaCenter.exe
Loads dropped DLL 1 IoCs

Processes:

9df73150049582985ec8abd22e42ce91_JC.exe

pid process

2172 9df73150049582985ec8abd22e42ce91_JC.exe

pid	process
2612	cmd.exe

pid	process
2424	MediaCenter.exe

pid	process
2172	9df73150049582985ec8abd22e42ce91_JC.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2172-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/2172-4-0x00000000002C0000-0x00000000002E4000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe	upx
behavioral1/memory/2172-7-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2424-10-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2172-15-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2424-25-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9df73150049582985ec8abd22e42ce91_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MicroMedia = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MicroMedia\\MediaCenter.exe"	9df73150049582985ec8abd22e42ce91_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2256 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

9df73150049582985ec8abd22e42ce91_JC.exe

description pid process

Token: SeIncBasePriorityPrivilege 2172 9df73150049582985ec8abd22e42ce91_JC.exe

pid	process
2256	PING.EXE

description	pid	process
Token: SeIncBasePriorityPrivilege	2172	9df73150049582985ec8abd22e42ce91_JC.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9df73150049582985ec8abd22e42ce91_JC.execmd.exe

description	pid	process	target process
PID 2172 wrote to memory of 2424	2172	9df73150049582985ec8abd22e42ce91_JC.exe	MediaCenter.exe
PID 2172 wrote to memory of 2424	2172	9df73150049582985ec8abd22e42ce91_JC.exe	MediaCenter.exe
PID 2172 wrote to memory of 2424	2172	9df73150049582985ec8abd22e42ce91_JC.exe	MediaCenter.exe
PID 2172 wrote to memory of 2424	2172	9df73150049582985ec8abd22e42ce91_JC.exe	MediaCenter.exe
PID 2172 wrote to memory of 2612	2172	9df73150049582985ec8abd22e42ce91_JC.exe	cmd.exe
PID 2172 wrote to memory of 2612	2172	9df73150049582985ec8abd22e42ce91_JC.exe	cmd.exe
PID 2172 wrote to memory of 2612	2172	9df73150049582985ec8abd22e42ce91_JC.exe	cmd.exe
PID 2172 wrote to memory of 2612	2172	9df73150049582985ec8abd22e42ce91_JC.exe	cmd.exe
PID 2612 wrote to memory of 2256	2612	cmd.exe	PING.EXE
PID 2612 wrote to memory of 2256	2612	cmd.exe	PING.EXE
PID 2612 wrote to memory of 2256	2612	cmd.exe	PING.EXE
PID 2612 wrote to memory of 2256	2612	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\9df73150049582985ec8abd22e42ce91_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9df73150049582985ec8abd22e42ce91_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe
2⤵
- Executes dropped EXE
PID:2424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 & del /q "C:\Users\Admin\AppData\Local\Temp\9df73150049582985ec8abd22e42ce91_JC.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8E7WD55\atgdtezy1680351636[1].htm

Filesize
2KB

MD5
9686bb07f149efbde3cfe23a42f031cf

SHA1
8b5808453866bb756c76c80465ee4ab95eafabf0

SHA256
b3d1f154196da426457e06c00078270fb81560480366f98682df531ff7ea69fb

SHA512
6705e55e1dfab289b50db6904a2bf9938e28900402ef438a9e5ca2b01d2d70eb8279ec03a4aaca85d2436c169cbf72ec03c55a6ea6e261df61fb11b0a2aa4cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
42KB

MD5
e91bea2a76b11823a378377861aa81fb

SHA1
23e3b5467c5634b42a06d1ae87dcfb1ab9ee4bf1

SHA256
f3ff6e93ae99b730ec82fa7b64a1789da639b5bf67bf4fb963e98c5f7dc7f6e5

SHA512
b2f74370b1acf4293a57ae51cc4f81c7cdebc1f8a8895248ce541b7f9bedb546dff057b6d70bf982157f2cc89fe6762491b80040b3673abfe6f644d7c84c0e71

Download Submit
\Users\Admin\AppData\Local\Temp\MicroMedia\MediaCenter.exe

Filesize
42KB

MD5
e91bea2a76b11823a378377861aa81fb

SHA1
23e3b5467c5634b42a06d1ae87dcfb1ab9ee4bf1

SHA256
f3ff6e93ae99b730ec82fa7b64a1789da639b5bf67bf4fb963e98c5f7dc7f6e5

SHA512
b2f74370b1acf4293a57ae51cc4f81c7cdebc1f8a8895248ce541b7f9bedb546dff057b6d70bf982157f2cc89fe6762491b80040b3673abfe6f644d7c84c0e71

Download Submit
memory/2172-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2172-4-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/2172-7-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2172-8-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/2172-15-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2172-16-0x00000000002C0000-0x00000000002E4000-memory.dmp

Filesize
144KB

Download
memory/2424-10-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2424-25-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads